Who's Got Root? Installing and Configuring Tripwire - Page 2

WEBINAR:On-Demand

Rulesets
At last we come to the heart of Tripwire: the rulesets that go in the policy file.
twpol.txt and policyguide.txt are good models to study. The basic syntax is:

objectname -> property mask;

Objectname is a file or directory name. If a directory is specified, everything in the directory will be
scanned and the property mask applied to everything. If it's a file, then the rule will apply only to that file. Tripwire provides rules and tools to create as many variations on these basic themes as needed. For a complete reference, download the
User's Guide from the Tripwire Project page (see Resources); look for
2.3.0-docs-pdf, or 2.3.0-docs-src.

These are canned property mask variables are supplied to handle common needs. Finer tuning can be done with more precise attributes. These are preceded with
+ (to turn on a property) or - (to turn it off). The equivalent of ReadOnly is +pinugtsdbmCM-rlacSH. +pinug is commonly used, it means file permissions, inode number, inode reference count, user ID, and group ID.

Property masks can be user-defined:

mask1 = +pinug ;

What to do if a scan reports violations? It undoubtedly will, most likely the result of
overstrict rules. There are several options for running an integrity check.
This command runs a basic integrity check; results are displayed on the
screen, and a binary copy of the report saved to the file location specified
in tw.cfg:

#tripwire --check

Run an integrity check, and specify the report file destination:

#tripwire --check --twrfile /filename

Run an integrity check, and email reports to recipients as specified in
tw.pol:

#tripwire --check --email-report

This does a live check, and each violation is listed as it's found, with a checkbox. All are checked by default. Uncheck the items you do not want future alarms for. When you're finished, close the file; Tripwire will ask for your password, and automatically update the database. Use:

# tripwire --twrfile /var/lib/report/reportname.twr

to use a report that has already been generated.

Conclusion
Give yourself a test machine and a couple of weeks to get up to speed. Tripwire is very flexible and powerful. It takes a little experimentation to get a handle on its
abilities and to become familiar with the command options. It's an essential utility, the tool of choice to
watch the watchers.